Using BitLocker Encryption for NIST SP 800-171 & CMMC 2.0 Compliance

You can use Microsoft’s BitLocker encryption to meet NIST SP 800-171 and CMMC 2.0 data at rest encryption requirements. BitLocker is a convenient solution for organizations using Windows operating systems especially if you are using Azure Active Directory and Microsoft Endpoint Manager. BitLocker encryption is easy to deploy and managing keys is easy with Azure Active Directory.

NIST SP 800-171 & CMMC 2.0 requirement 3.13.11 requires that organization’s “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.”

BitLocker is FIPS validated and this can be verified by searching NIST’s Cryptographic Module Validation Program (CMVP) database. For more information on FIPS validated encryption, check out our blog post on the subject.

The following security requirements are directly related to encryption and can generally be met using BitLocker encryption.

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

3.1.19 Encrypt CUI on mobile devices.

3.8.1 Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.

3.8.9 Protect the confidentiality of backup CUI at storage locations.

To protect the confidentiality of controlled unclassified information (CUI) on Windows computers you can use BitLocker encryption. BitLocker will encrypt a computer’s hard drive, thus securing your data at rest. Make sure to save your BitLocker keys when encrypting the devices. If you use Azure Active Directory your BitLocker keys will automatically be saved.

If you store controlled unclassified information (CUI) on removable storage devices such as USB thumb drives or external drives you should encrypt them. BitLocker can be used to accomplish this. For more information on removable storage requirements for NIST SP 800-171 and CMMC 2.0 check out or blog post "The Ultimate Guide to USB Compliance for CMMC and NIST 800-171".

To protect the confidentiality of controlled unclassified information (CUI) stored on SharePoint and OneDrive, Microsoft uses BitLocker encryption.

According to Microsoft, “BitLocker is deployed for OneDrive for Business and SharePoint Online across the service. Per-file encryption is also in OneDrive for Business and SharePoint Online in Microsoft 365 multi-tenant and new dedicated environments that are built on multi-tenant technology.

While BitLocker encrypts all data on a disk, per-file encryption goes even further by including a unique encryption key for each file. Further, every update to every file is encrypted using its own encryption key. The keys to the encrypted content are stored in a physically separate location from the content. Every step of this encryption uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. The encrypted content is distributed across a number of containers throughout the datacenter, and each container has unique credentials. These credentials are stored in a separate physical location from either the content or the content keys.”